2010 ANNUAL COMPLIANCE REPORT 


NAIS 


Network Advertising Initiative 


February 18, 2011 


EXECUTIVE SUMMARY 


The Network Advertising Initiative (“NAI”)! has completed its 
second annual compliance review of its member companies under its 
2008 self-regulatory code of conduct (“NAI Code”). This report sets 
forth the NAI’s findings with regard to the compliance of the evaluated 
member companies in 2010; details the sharp increase in consumer 
usage of the NAI’s consumer opt out and educational resources; 
summarizes the efforts of NAI member companies to enhance 
transparency and choice with respect to online advertising; and 
includes NAI staff’s policy recommendations for the NAI’s compliance 
program going forward. 


In 2010, thirty-four member companies went through the NAI’s 
annual review process.’ As detailed in this report, evaluated member 
companies responded to a detailed written questionnaire and 
participated in multiple interviews that included high-level 
management and relevant engineering staff. NAI staff reviewed 
members’ written responses, conducted interviews of member 
companies, and independently evaluated companies’ business 
practices as described on their websites, privacy policies, proprietary 
business materials, terms of service, contracts, and marketing 
materials. The NAI compliance staff also used technical methods to 
assess members’ compliance, including testing their opt-out tools. 
Throughout this process, NAI compliance staff made compliance 
findings, educated members about NAI requirements, and informally 
shared best practices suggestions with NAI members. 


i The NAI is a coalition of leading online advertising companies committed to 


developing actionable self-regulatory standards that establish and reward responsible 
business and data management practices and standards. 

z The 34 member companies subject to review in 2010 are listed on page 2. 
These 34 companies are referred to in this document as “evaluated members” or 
“evaluated member companies.” The NAI experienced rapid growth in 2010, with an 
additional 27 companies admitted to membership (all of which will be subject to the 
annual compliance process in 2011). As of December 31, 2010, there were 61 
member companies. The NAI’s membership includes the great majority of the 
marketplace for online behavioral advertising, including all 15 of the largest 
advertising networks. See 

http://www.comscore.com/Press Events/Press Releases/2010/1/comScore Release 
s December 2009 Ranking of Top Ad Networks. 
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The review demonstrated that, on the whole, the evaluated 
member companies met their compliance obligations with respect to 
the requirements of the NAI Code. The NAI Code encompasses ten 
subject areas that include approximately twenty substantive 
requirements for the NAI and its member companies. The vast 
majority of evaluated member companies met their compliance 
obligations with respect to all twenty obligations. 


As detailed in this report, however, the compliance review 
revealed issues with some members’ compliance with the requirement 
to provide fully-functioning opt outs; the application of the NAI’s 
policies with respect to uses of non-cookie technologies for advertising 
purposes; and in one case, adherence to the NAI’s requirements for 
sensitive health-related information. Drawing on the findings of the 
compliance review process, as well as recent policy developments and 
emerging marketplace best practices, NAI staff has made substantive 
recommendations to enhance best practices and compliance going 
forward in 2011. These recommendations include: 


e Increasing Transparency for Uses of Health Related Data: 
Member companies should be required to publicly disclose any 
standard segments used for Online Behavioral Advertising (OBA) 
purposes that are based on health related information. 


e Ensuring Transparency and Control for Non Cookie 
Technologies: The NAI should expand its policy to provide that 
non HTTP cookie tracking technologies, such as Flash cookies, 
Web browser cache, or similar technologies, should not be used 
for OBA, Multi Site Advertising, or Ad Delivery and Reporting 
purposes until they provide the same level of transparency and 
control as traditional HTTP cookies. 


e Strengthening the Annual Review Process: The NAI should 
evaluate the use of random, external assessments of compliance 
with elements of the NAI Code, such as the functioning of opt 
outs, to supplement and strengthen the existing review process. 


Consistent with the NAI Code’s transparency requirement, the NAI 
continues to host a centralized consumer choice mechanism that 
educates consumers about OBA and allows consumers to opt out of 
OBA by some or all of the NAI’s member companies. In 2010, the NAI 
website experienced rapid growth in visitors seeking information about 
OBA and the ability to exercise choice. Nearly three million unique 
visitors viewed the NAI main Web page (an increase of nearly 150% 
over 2009). Moreover, usage of the NAI’s OBA choice mechanism has 
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significantly increased: the number of unique visitors to the NAI’s opt 
out page jumped to nearly 2.3 million unique visitors in 2010 (an 
increase of 127% over 2009). Of these visitors, approximately 
472,000 went through the NAI opt out process (an increase of 58% 
over 2009).? 


The educational section of the NAI site, which informs consumers 
about OBA and explains the choices available to them, showed even 
greater growth in 2010, with more than a half-million unique visitors 
(an increase of nearly 400% over 2009).* This increased attention is 
due in large part to NAI members, who have made demonstrable 
improvements in their efforts to provide consumer education about 
online behavioral advertising. In 2010, NAI members more than 
quadrupled their contributions of advertising inventory for consumer 
education, collectively providing more than one billion ad impressions 
to the NAI’s educational campaign. In addition to these ad impression 
contributions, NAI member companies have continued to deploy and 
improve their own tools designed to educate consumers about OBA 
and to increase the transparency of their OBA practices. 


With respect to notice, all the evaluated member companies 
include notices on their websites that describe their data collection, 
transfer, and use practices, including descriptions of the online 
advertising activities undertaken, the types of data collected, and an 
easy-to-use procedure for opting out of the use of data for OBA, as 
required by the NAI Code. In an improvement from 2009 findings, all 
evaluated member companies now publicly disclose their retention 
periods for OBA data in accordance with the NAI Code. In 2010, many 
evaluated member companies greatly increased the visibility, 
readability, and usability of their consumer-facing privacy notices and 
opt out tools. With respect to the technologies used for the advertising 
purposes covered by the NAI Code, however, the 2010 compliance 
review also revealed the need for greater clarity in the NAI policy with 
respect to the uses of non-cookie technologies in browsers: based on 
findings with respect to two companies’ use of browser cache to store 
IDs to count unique users, NAI staff has recommended (and the NAI 


3 See Section III(A)(1) findings, infra. 


: See infra at 8-9. 
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adopted) a broadened policy limiting such use of the Web browser 
cache for OBA or other advertising-related purposes.” 


In addition to improving the notice that evaluated member 
companies provide to consumers on their own websites, in 2010, the 
NAI and its member companies also significantly increased their efforts 
to provide consumers with enhanced access to information about OBA 
and to opt out mechanism for OBA use. In October, the NAI joined 
other industry associations in launching the Cross-Industry Program 
for OBA self-regulation. NAI member companies have deployed notice 
and choice for OBA in and around advertisements or in new Web page 
short-form disclosures, with some already using the Cross-Industry 
Program's icon-based approach. Indeed, several member companies 
alone have produced tens of billions of impressions that included such 
enhanced notice.” The NAI has also worked with the IAB to promote 
technical standards that would facilitate these enhanced forms of 
consumer notice. ® 


NAI staff found that member companies also have increased 
their efforts to ensure that notice and choice for OBA is available to 
consumers on websites where data are collected and used for OBA 
purposes, through enforcement of contractual notice requirements 
with their partner Web sites.? In response to the 2009 compliance 


See infra at 21. 


‘ The associations with which the NAI joined include the AAAA (4A’s), the AAF 
(American Advertising Federation), the ANA (Association of National Advertisers), the 
DMA (Direct Marketing Association), and the IAB (Interactive Advertising Bureau), 
with support from the Council for the Better Business Bureaus. Those associations 
have adopted a set of principles that, like the NAI Code, impose transparency and 
choice obligations on participating member companies engaged in online behavioral 
advertising. See http://www.aboutads.info/principles/. 


f See infra at 14-15. 
3 In the Spring, the NAI and IAB jointly issued a proposed technical approach 
that would permit metadata to travel with an ad identifying the companies involved 
in the ad selection, whether behavioral information was used, and how to exercise 
choice regarding such advertising. 

http://www.networkadvertising.org/pdfs/Clear Ad Notice Tech Specs Release Fina 
l.pdf. As part of the Cross-Industry program, the NAI and IAB have also collaborated 
to develop implementation guidelines for the use of icon-driven notice. See 
http://networkadvertising.org/pdfs/Associations104release.pdf. 


z In its 2009 Compliance Report, NAI staff found that the evaluated member 


companies included appropriate provisions in their contracts requiring partners to 


iv 
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report findings, the NAI in 2010 convened a working group with the 
goal of promoting more ubiquitous notice and choice on websites 
where data are collected and used for OBA purposes. Among other 
things, this working group developed educational materials for NAI 
members to share with their partners explaining the importance of 
providing consumers notice and choice with respect to OBA. In 
addition, NAI staff increased efforts to educate NAI members about 
the importance of requiring their partners to post notice, as well as 
best practices for enforcing those requirements. These increased 
enforcement and education efforts by the NAI and its members, as 
well as increased participation in self-regulatory notice and choice 
efforts by other industry players, have led to improvements in the 
availability of notice and choice mechanisms for OBA across the 
ecosystem. Indeed, NAI staff’s analysis shows that notice and choice 
regarding OBA practices are now present on the vast majority of the 
most popular websites where data are collected or used for OBA 
purposes. 


With respect to the choice provisions of the NAI Code, NAI staff 
found that evaluated member companies have appropriate 
mechanisms in place permitting consumers to exercise the choice to 
opt out of behavioral advertising, both on their own websites and on 
the NAI’s website. NAI staff’s testing of members’ opt out tools 
throughout the year and as part of the annual compliance review 
demonstrates that, overall, they function as intended. However, as 
described in the full report, a handful of member companies have 
experienced problems with their opt-out tools, primarily as a result of 
systems changes. While these issues were primarily short-term and 
affected few users, NAI staff is recommending that member companies 
adopt (or enhance) written procedures explicitly designed to ensure 
that their offering and honoring of opt-out choices is not disrupted as a 
result of systems changes. The NAI also plans in 2011 to update its 
opt out page to include automated reporting tools that will increase 
the NAI’s ability to more rapidly identify any technical issues with the 
opt out experience. 


NAI staff found no compliance deficiencies for the evaluated 
members with respect to the portions of the NAI Code relating to the 


provide notice and choice, but largely lacked robust programs for enforcing 
contractual notice requirements. 
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collection and use of personally-identifiable information (“PII”) for 
behavioral advertising purposes. All evaluated member companies 
report that they do not use PII for OBA purposes, and that they have 
no interest in collecting PII for use in OBA. Evaluated members report 
having procedures in place to ensure that they do not receive 
unwanted PII, and, if any PII is transmitted inadvertently, to ensure 
that it is not and cannot be used for OBA purposes. The vast majority 
of evaluated companies do not intentionally collect PII from consumers 
for any purpose, and those that do collect PII for non-OBA purposes 
report having robust procedures for isolating non-identifiable segments 
before they can be used for OBA purposes. NAI staff also found no 
compliance deficiencies with respect to provisions of the Code that 
prohibit the creation of OBA segments for children under 13 without 
parental consent and that preclude use of OBA segments other than 
for marketing purposes. 


With respect to the provisions of the NAI Code relating to 
sensitive information, the compliance review revealed no compliance 
issues with respect to uses of sensitive financial or location 
information. However, with respect to sensitive health information, the 
compliance review revealed that one member company had used 
certain precise health-related categories to determine ad selection 
without obtaining opt-in consent. 


Although the company immediately agreed to cease the practice, 
NAI staff believes that a broader policy response should be 
implemented to help advance appropriate marketplace practices for 
health-related information. NAI staff believes that greater 
transparency for health-related categories used for OBA would help 
promote compliance with the Code’s requirements and would be an 
efficient means of normalizing best practices throughout the online 
advertising marketplace. Accordingly, NAI staff is recommending that 
the NAI adopt a policy that member companies be required to publicly 
disclose any standard segments used for OBA purposes that are based 
on health-related information. 


Overall, NAI staff believes that its 2010 compliance process 
provided useful oversight and continued to spread best practices 
throughout NAI membership. As in 2009, representatives of the 
evaluated member companies expressed commitment to, and a desire 
to learn from, the compliance process. In most cases, evaluated 
member companies promptly implemented suggested changes in 
privacy policies and practices for collecting and using data for 
advertising purposes. At the same time, NAI staff believes that 
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additional improvements to the compliance program would further 
strengthen the NAI’s mission of promoting transparency and choice for 
OBA. NAI staff therefore recommends that in 2011 the NAI evaluate 
the utility of implementing separate, random external reviews of key 
components of the NAI Code, such as the functioning of opt outs. 
Combined with existing compliance mechanisms, such additional 
reviews would further consumer confidence in the accountability 
provided by the NAI’s self-regulatory program. +° 


19 The NAI also will continue to work with other industry self-regulatory groups 
to harmonize compliance under the NAI Code with enforcement efforts implemented 
in 2011 under the self-regulatory principles adopted by leading advertising industry 
groups. 
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2010 ANNUAL COMPLIANCE REPORT 
I. Background 


The NAI’s Self-Regulatory Code of Conduct (“NAI Code”) 
imposes transparency, notice, and choice obligations on its members 
with respect to “Online Behavioral Advertising” (OBA).'* OBA is defined 
in the NAI Code as “any process used whereby data are collected 
across multiple web domains owned or operated by different entities to 
categorize likely consumer interest segments for use in advertising 
online.” (Code § II.1.) The Code also imposes certain limitations on the 
use and transfer of information to be used for OBA or Multi-Site 
Advertising, requires members to provide reasonable access to PII 
retained for OBA purposes, to protect data used for behavioral 
advertising, and to obtain such data from reliable sources. Finally, the 
Code imposes data retention requirements on NAI members and 
requires them to adhere to applicable law. 


The NAI’s self-regulatory model includes several mechanisms for 
ensuring the compliance of its member companies to this common set 
of principles designed to ensure that consumers are provided 
transparency and choice with respect to the use of information about 
them for OBA purposes. First, membership in the NAI requires public 
representations, subject to enforcement by the Federal Trade 
Commission under Section V of the FTC Act, that a member company’s 
business practices are compliant with each aspect of the Code that 
applies to its business model. (Code § IV.1(b).) The NAI also provides 
mechanisms, including imposing sanctions where appropriate, for 
accepting and responding to complaints or other credible claims 
relating to compliance, whether raised by consumers, regulators, the 
press, advocates, or others.” 


n The NAI Code and the NAI’s compliance procedures did not change in 2010. A 


full summary of the NAI Code, the requirements it imposes on NAI member 
companies, and the NAI’s compliance procedures, can be found in the NAI’s 2009 
Annual Compliance report. See 

http://www.networkadvertising.org/pdfs/2009_ NAI Compliance Report 12-30- 
09.pdf. 


12 


See NAI Compliance Program Attestation Review Process, at 3 (Feb. 17, 
2009), available at 

http://networkadvertising.org/managing/NAI_ COMPLIANCE AND ENFORCEMENT PR 
OGRAM Attestation Review detail.pdf. 
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As an additional means of ensuring the compliance of its 
member companies with the NAI Code, member companies are 
required to undergo an annual compliance review. This review process 
is designed to proactively examine NAI member companies’ 
attestations of compliance by ensuring that their business practices 
and public representations are aligned with the requirements of the 
Code. The review process is also intended to educate and remind 
member companies of their obligations under the NAI Code and of the 
sanctions that can result from the failure to honor those obligations, 
including referral to the NAI Board of Directors, suspension or 
revocation of NAI membership, publication of revocation by press 
release, and referral of non-compliance to the FTC or other 
enforcement bodies.'? The Code specifies that the results of this 
review, aS well as a summary of customer complaints and the 
resolution of those complaints, must be published annually. (Code § 
IV.1(e).) This document is the second annual report to be published 
under these procedures. 


For the 2010 annual compliance review, NAI staff reviewed the 
34 companies that were NAI members as of January 1, 2010** (up 
from 23 reviewed companies in 2009): [x + 1], 24/7 Real Media, 
Aggregate Knowledge, Akamai, AlmondNet, AOL Advertising (including 
Tacoda), AudienceScience, BlueKai, Burst Media, Buysight (formerly 
Permuto), Collective Media, Criteo, Datalogix (formerly Nextaction), 
Dedicated Networks, Exelate, Fetchback, Fox Audience Network, 
Google, interCLICK, Lotame, Media6Degrees, Microsoft Advertising 
(including Atlas Solutions), Mindset Media, Quantcast, Rich Relevance, 
Specific Media, Traffic Marketplace, Tribal Fusion, Tumri, Turn, 
Undertone Networks, Valueclick (including Mediaplex), Vibrant Media, 
and Yahoo!.* These 34 companies are referred to in this document as 
“evaluated members” or “evaluated member companies.” The member 
companies that joined the NAI in January 2010 or later were subject to 
review as part of the new member process, and must attest to 


13 See id. 


m Per the policies established by the NAI Board, NAI members become eligible 
for annual reviews in “the year following admission to the NAI as a new member.” 
See id. 


z Safecount, which was reviewed in 2009, has withdrawn from membership in 
the NAI and thus was not included in the 2010 review. See 
http://safecount.net/nai.php. 
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compliance with the NAI Code, but were not assessed in the 2010 
annual review process. 


II. Methodology 


Under the procedures established by the NAI for compliance 
reviews, NAI staff review the following materials to assess members’ 
compliance with the NAI Code: (1) representations of business 
practices as set forth in the members’ public and non-public materials, 
including members’ (a) public website, (b) privacy policy, (c) terms of 
service, (d) advertising contracts, and (e) marketing materials; (2) 
responses to an NAI Questionnaire regarding each provision of the NAI 
Code; (3) interviews with senior responsible executives who are 
authorized to bind the company, as well as with relevant engineering 
staff; and (4) responses to any alleged deficiencies in compliance 
raised by the press, other member companies, or the NAI’s consumer 
complaint process (if any).*® 


Under these published NAI procedures, NAI staff are required to 
advise members on what NAI Principles apply and what modifications 
in business practices may be necessary to bring the company into full 
compliance with the NAI Code. Members must remedy any compliance 
deficiencies, or adopt a plan to do so, within 30 business days of 
identification of the deficiency. NAI staff may extend this deadline, in 
its discretion, in the event of material technological constraints or 
unavoidable delays. 


The NAI’s compliance program for 2010 was based on a multi- 
stage written evaluation and interview process, as well as through a 
separate compliance training presentation. NAI companies eligible for 
review were required to provide written responses to a detailed 
questionnaire. The questionnaire asked members to describe their 
practices and policies relative to NAI Code requirements, and to 
provide supporting documentation. The topics covered by the 
questionnaire included: 


e Descriptions of any business practices involving the collection 
and use of data for OBA, Multi-Site Advertising, or Ad Delivery 
and Reporting purposes, including any new lines of business 
acquired or launched in the previous year; 


$ See NAI Compliance Program Attestation Review Process, supra note 12, at 


section 2. 


2010 NAI Annual Compliance Report 


Description of efforts to educate consumers about OBA practices 
and the choices available to them undertaken in 2010; 


Representative provisions of partner contracts requiring NAI- 
compliant notice and choice; 


Methods of ensuring that partners engaging in the member’s 
OBA and Multi-Site Advertising practices include NAI-required 
notice and choice; 


A technical description of the member’s OBA opt out mechanism, 
including its location, functionality, and testing procedures, as 
well as procedures for responding to a malfunction of the opt 
out, and any malfunctions in the opt out tool that have occurred; 


Whether the member uses any means other than http cookies to 
identify or track users; 


Contracts, processes, and controls for any sharing or acquisition 
of data used for OBA or Multi-Site Advertising; 


For any member companies that acquire PII about consumers, 
their processes for segregating PII data from OBA data and for 
isolating interest segments derived from such data prior to use 
for OBA purposes; 


How data used for OBA, Multi-Site Advertising, or Ad Delivery 
and Reporting is stored, how long it is retained, and for what 
purposes it is retained; 


Whether there is any use of sensitive, potentially sensitive, or 
health-related information for OBA or Multi-Site Advertising, and 
what policies and processes exist to govern any such use; 


Whether the member has any OBA segments targeted at 
children under 13; 


Descriptions of the policies and practices designed to provide 
security for data used for OBA, Multi-Site Advertising, or Ad 
Delivery and Reporting; 


Descriptions of the mechanisms available to consumers to 
submit questions or concerns with respect to notice and choice 
for OBA or NAI compliance, and how any such questions or 
concerns are handled; 
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e Representative samples of non-public marketing materials and 
training materials relating to OBA; and 


e Descriptions of any complaints relating to NAI compliance and 
the resolution of such complaints. 


A four-person NAI compliance team, which includes two attorneys with 
experience in privacy law, corporate compliance, and technology, 
reviewed these written submissions upon receipt. 


In addition to reviewing members’ responses to the 
questionnaire, NAI staff conducted an independent evaluation of 
member companies’ business practices. To do so, NAI staff reviewed 
members’ websites, privacy policies, terms of service, contracts with 
advertising partners, marketing materials, and press releases. In 
addition to these publicly-available materials, NAI staff reviewed 
business proprietary materials supplied by members, including internal 
policies and procedures and non-public marketing materials, contracts, 
and terms of service. The compliance team also used independent 
technical methods to assess compliance, including testing the 
functionality of members’ opt out tools, reviewing the websites of 
members’ partners for notice and choice disclosures, and testing 
members’ mechanisms for receiving and responding to consumer 
queries. Finally, the compliance team looked for any public allegations 
of non-compliance, whether raised by consumers, media reports, 
advocates, or other member companies. 


NAI staff’s review involved a multi-stage interview process. For 
these interviews, the compliance team was provided access to high- 
level management and relevant engineering staff. The compliance 
team questioned management personnel about business and policy 
issues such as OBA business practices, policies governing those 
practices, contractual requirements imposed on OBA business 
partners, and processes for oversight and enforcement of contractual 
requirements concerning notice, choice, and protections for data 
collected and used for OBA purposes. The compliance team questioned 
technological representatives about relevant data flows, opt out 
functionality, data retention, and technical measures in place to 
prevent the use of any PII for OBA purposes. NAI staff used these 
interviews both to assess members’ business practices and technology, 
and to offer “best practice” improvements to enhance transparency 
and choice, even where members’ practices were already consistent 
with NAI requirements. 
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Finally, member companies were required to attest to their 
ongoing compliance with the NAI Code and the veracity of the 
information provided in the review process. This certification 
supplements members’ public attestations, made when becoming 
members of the NAI, that they comply with the NAI Code. 


III. NAI Compliance Findings 


This section of the report sets forth the findings of NAI staff with 
respect to the compliance of the evaluated member companies with 
each substantive provision of the NAI Code, following the order in 
which the provisions appear in the Code.” 


A. Transparency/ Education 
1. NAI Education 
Standard 


The NAI Code requires members to collectively maintain an NAI 
website to serve as a centralized portal offering explanations of online 
behavioral advertising and member companies’ compliance with the 
NAI Principles, including information about and centralized access to 
consumer choice mechanisms. (Code § III.1(a).) 


Findings 


The NAI’s website hosts educational materials, an explanation of 
the NAI Principles, an opt out page, and a mechanism for consumers 
to register complaints against member companies. In 2010, the NAI 
site saw a large increase in visitors seeking information about OBA and 
the ability to exercise choice: traffic to the NAI main web page 
increased by nearly 150% over 2009, with approximately 2.8 million 
unique visitors to the NAI main Web page. 


17 NAI compliance is a continuing obligation, and the annual compliance review’s 


findings may be supplemented as appropriate. 
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Visits to NAI Consumer Portal 


Year Total Unique 
-= Total User Visits User Visits 


750,784 644,917 


1,311,273 1,136,994 
3,352,441 2,842,377 


a) NAI Consumer Education 


The NAI’s consumer education efforts grew rapidly in 2010, with 
vastly increased numbers of banner ads deployed across member 
companies’ networks. In large part because of these ads, visits to the 
education section of the NAI website grew more than fivefold in 2010. 
In total, more than a half-million unique visitors viewed the NAI’s 
educational page. 


In order to help increase consumer understanding of OBA and 
the choices available to them, the NAI has developed banner ads and 
asked members to publish those banner ads across their networks. In 
2010, the NAI updated this educational campaign with new banner ads 
intended to draw even more consumers to the NAI education page. 


New NAI Banner Ads 


Learn about your 
behavioral advertising 


choices 


Do 
SERE NAI? 


ka ra Kear] ae 


Advertising helps 


power 


the Internet 


zo 
SERE NAI? 


erat Mier] ree 


In 2010, NAI members contributed more than four times the number 
of advertising impressions to the NAI’s consumer education campaign 
than they did in the previous year, collectively contributing over one 
billion ad impressions to the NAI’s campaign. 


The NAI’s banner ads link to the NAI’s consumer education web 
page. That page, first launched in June 2009, aggregates video, blog, 
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and explanatory content, together with information relating to general 
research and public policy discussion of online behavioral advertising.’® 
The videos on the NAI’s educational page were developed by NAI 
members and other independent sources and explain, in plain English, 
what cookies are, how they work, how they can be used by advertisers 
to categorize consumers into interest groups, and how users can 
delete or block them. In addition, the NAI site contains many links to 
informational articles, blogs, and regulatory materials that also 
explain, in simple terms, the technology behind behavioral advertising 
and how consumers may exercise choice with respect to cookies. 


NAI Consumer Education Web Page 


4 -(¢ h “1 http. / wow networkadvertising.org/managing/learn_more.asp ar $ 
Most Visited = Cening Started Latest Headlines A 


J Network Advertising initiative + = 


flaw. harvard. du/cookiecontest/ 
(These videos are also available on the right panel of 


may 
Got Cookies? 


Transferring data from (3.ytimg.com. 


In large part as a result of members’ publishing the NAI’s banner 
ads across their networks, the consumer education section of the NAI’s 
website showed even greater growth than the NAI’s homepage in 
2010. There were more than a half-million unique page views of the 
NAI’s educational website in 2010, approximately five times the 
number of unique visits than seen in 2009. 


19 http://networkadvertising.org/managing/learn_more.asp. 
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Visits to NAI Consumer Education Page 


Total User Unique User 
Date JaA i 
Page Views 


o Page Views 


61,628 
(105,648 


j” 


6/01/09 - 12/31/09 annualized 


615,883 521,112 


b) NAI Consumer Opt Out Tool 


The opt out section of the NAI website” clearly explains how 
consumers may opt out of online behavioral advertising by one, some, 
or all NAI members; provides consumers information about which 
member companies have active OBA cookies on their computers; and 
is designed to permit consumers to opt out of online behavioral 
advertising by all NAI member companies in only three clicks. 


NAI Opt-Out Web Page 


Opt-Out Status 

Select all) (Clear) (Submit 
Member Company Status Opt-Out 
aCerno Opt-Out Cookie . Opt-Out O 
More Information You have opted out of this network 
AdBrite Opt-Out Cookie Opt-Out O 
More Information You have opted out of this network 
AdChemy Opt-Out Cookie Opt-Out O 
More Information You have opted out of this network 
Adconion Opt-Out Cookie Opt-Out O 
More Information You have opted out of this network 
Adara Media Opt-Out Cookie Opt-Out O 
More Information You have opted out of this network 
Adify Media Opt-Out Cookie Opt-Out O 
More Information You have opted out of this network 
Advertising.com Opt-Out Cookie Opt-Out O 
More Information You have opted out of this network 


13 The NAI’s consumer webpage first launched in June 2009. The 2009 average 


visits to the NAI’s education page was 8,804 monthly visitors, which implies an 
annualized rate of approximately 105,000 total unique visitors for that year. 


20 http://networkadvertising.org/managing/opt_out.asp. 


9 


2010 NAI Annual Compliance Report 


The NAI’s opt out page works by accessing URLs hosted on 
member companies’ servers. The URLs call scripts on NAI members’ 
servers, which check for or set opt out cookies on member companies’ 
domains. All NAI members are required to integrate with the NAI opt- 
out tool as a condition of membership. The NAI website also contains 
an extensive FAQ section to aid consumers who have any difficulty in 
opting out, and, as detailed below, the website enables users to 
contact NAI staff, who can provide support to consumers in the opt out 
process. As detailed below, the NAI tests its opt out tool on a weekly 
basis, and as needed to respond to consumer concerns and questions. 


As with the NAI’s website and educational material, the NAI’s opt 
out tool saw ever-increasing interest and usage in 2010, suggesting 
that consumers are increasingly aware of OBA practices and interested 
in the choices available to them. In 2010, more than 2.2 million users 
visited the NAI opt page, an increase of more than 125% over 2009. 
Of those visitors, the number going through the opt out process rose 
by 58%, to approximately 472,000. 


NAI Consumer Opt Out Usage 


NAI Opt-Out Tool - Page Opt-Out Results Page 
Views Views 


Year Total Unique Total Unique 


2007 1,097,996 798,006 140,661 

20087! 854,842 553,629 227,758 145,156 
2009 1,502,068 1,005,017 482,531 299,647 
2010 4,556,489 2,277,065 826,350 472,437 


The surge in usage of the NAI is generally consistent with the upswing 
in usage of choice mechanisms generally.” 


oe The drop in traffic between 2007 and 2008 likely reflects the NAI’s adoption of 
new analytic tools. 
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Other offerings that leverage opt outs provided by NAI members also saw 
significant increases in usage. Privacychoice.org reported increased usage in 2010, 
with nearly 400,000 persons using its tool to set online advertising preferences. 


Targeted Advertising Cookie Opt-Out (TACO) tool and nearly two million users have 
downloaded Ghostery. See https://addons.mozilla.org/en-US/firefox/addon/11073/ 
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The NAI continues to make additional improvements to its opt 
out page. In summer of 2010, translated versions of the principal opt 
out pages were made available (in Spanish and French). The NAI also 
intends in 2011 to deploy additional improvements to the opt out 
interface, including automatic error-logging that will aid the NAI in 
further improving the reliability of the opt out experience, as well as 
accessibility features. 


c) NAI Consumer Inquiry and Complaint 
Mechanisms 


In addition to the substantial educational materials and FAQs on 
the NAI website, the NAI also provides contact information for 
consumers to report problems they have using the opt out, or to 
report issues related to member companies’ compliance with the NAI 
Code. As discussed in detail in section IV below, in 2010 NAI staff 
received and manually reviewed nearly 6,000 general consumer 
communications (concerning both NAI- and non-NAI-related issues). 


2. Member Education 
Standard 


The NAI Code requires members to individually and collectively 
educate consumers about behavioral advertising and the choices 
available to them with respect to behavioral advertising. (Code § 
III.1(b).) 


Findings 


Many NAI members have engaged in substantial individual 
efforts to educate consumers about behavioral advertising in 


(last visited January 10, 2011) and https://addons.mozilla.org/en- 
US/firefox/addon/9609/. NAI members have also participated in the launch of the 
Digital Advertising Alliance’s cross-industry principles program and its opt out 
platform (at www.aboutads.info). Like the NAI’s opt out tool, the aboutads.info opt 
out mechanism allows consumers to opt out of online behavioral advertising by some 
or all participating companies. The aboutads.info platform is fully interactive with 
the NAI’s opt out tool, allowing preferences set on either platform to be recognized 
and honored by a consumer’s browser. Finally, these options are in addition to native 
browser controls, which consumers also use to control the collection and use of their 
information. 
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accordance with III.1(b) of the Code. As noted above, NAI members 
have more than quadrupled their ad impression contributions to the 
NAI’s educational efforts by donating more than a billion ad 
impressions to the NAI’s educational campaign.” Other members, 
particularly those who do not buy media and thus do not have 
impressions to contribute, have instead donated services and content 
to the NAI website. 


NAI members have also developed their own creative video and 
other multimedia content designed to educate users about OBA and 
the choices available to them. These educational tools, summarized in 
the NAI’s 2009 Compliance Report,” reach consumers in a clear and 
consumer-friendly manner. In 2010, NAI member companies have 
continued to develop and improve tools for educating consumers about 
OBA and the choices available to them.” 


B. Notice 
1. Member-Provided Notice 
Standard 


Section III.2(a) of the NAI Code requires members directly 
engaging in OBA, Multi-Site Advertising, and/or Ad Delivery and 
Reporting to clearly and conspicuously post notice on their websites 
that describes their data collection, transfer, and use practices. The 
required notice must include clear descriptions of the following (as 
applicable): (1) the OBA, Multi-Site Advertising, and/or Ad Delivery 
and Reporting activities undertaken by the member; (2) what types of 
data are collected by the member; (3) how such data will be used, 
including any transfer to a third party; (4) the types of PII and non-PII 


a2 In 2009 and 2010, NAI members likewise contributed substantial numbers of 
ad impressions and other support to the Interactive Advertising Bureau’s (IAB) 
educational campaign, which also seeks to educate consumers about behavioral 
advertising and the choices available to them. 


= See NAI 2009 Annual Compliance Report, supra note 11, at 20. 


= See, e.g., http://www.bluekai.com/consumers howdoesitwork.php (simple 
description of how OBA works, how it benefits consumers, and how consumers can 
exercise choice with respect to OBA); http://www.google.com/privacy.html (new 
content in privacy center); http://choice.live.com/ (new consumer education site, 
linked to from an icon served next to ads, with new video content explaining 
personalized advertising). 


12 


2010 NAI Annual Compliance Report 


that may be merged; (5) an easy-to-use procedure for exercising opt 
in or opt out choice with respect to OBA data use (with the choice 
provided depending on the type of data); and (6) the approximate 
length of time that data used for OBA, Multi-Site Advertising, and/or 
Ad Delivery and Reporting will be retained by the member company. 


Findings 


The NAI Code allows members the flexibility to disclose and 
explain their collection and use of data for OBA purposes in any 
manner, so long as the disclosure is clear and conspicuous and 
conveys all required information. NAI staff found that all evaluated 
members include notices on their websites that adequately describe 
their data collection, transfer, and use practices. And unlike in 2009, 
when NAI staff found that almost half of evaluated member companies 
lacked the retention disclosure required by the NAI Code, all member 
companies evaluated in 2010 publicly disclose their retention periods 
for OBA data. 


Some member companies increased the visibility and readability 
of their OBA disclosures in 2010. For example, NAI member companies 
have continued to deploy new creative consumer-facing tools to 
increase the transparency of the OBA data they hold about users and 
to offer granular controls with respect to that data.” In addition, many 
member companies have recently made information about their OBA 
practices easier to find by moving them into consumer-focused 
sections of their websites, labeled with prominent tabs and buttons 
such as “consumer information,” “privacy,” and “opt out.” These Web 
pages generally summarize the member companies’ collection and use 
of data for OBA purposes, and provide prominent links to permit 
consumers to opt out of the use of their data for OBA purposes. Other 
members have made their OBA-related privacy policies easier to 
understand by segregating privacy practices governing the collection 


26 In addition to the NAI members offering preference managers that were 


mentioned in the 2009 report, newer NAI members Lotame and Exelate also offer 
similar tools that allow users to view the interest categories associated with their 
browsers. See http://tags.bluekai.com/registry (Bluekai); 
http://www.exelate.com/home/consumer-preference-manager-opt-out.html 
(Exelate); http://www.google.com/ads/preferences/ (Google); 
http://www.lotame.com/privacy-center/preferences/ (Lotame); 
http://info.yahoo.com/privacy/us/yahoo/opt_out/targeting/details.html (Yahoo). 
New member Bizo also offers such transparency tools. See 
http://www.bizo.com/businessProfessionals/your bizo cookie. 


13 


2010 NAI Annual Compliance Report 


and use of non-PII gathered about consumers from privacy practices 
governing the collection and use of PII provided by their business 
customers. While member companies have made great strides in 
increasing the visibility and comprehensibility of their OBA notices, NAI 
staff used the compliance review to suggest further best practices 
improvements to members’ consumer-facing disclosures.” 


NAI member companies also have made considerable progress in 
providing notice to consumers at the point of data use - where 
consumers see targeted ads. In October, the NAI joined other leading 
advertising and marketing associations in announcing the launch of a 
cross-industry program for self-regulation of online behavioral 
advertising, including a web site (www.aboutads.info) where 
companies can register to use an enhanced notice icon to be displayed 
within or near online ads or on Web pages where data is collected and 
used for interest-based ads.” In addition to these industry-wide 
efforts, NAI member companies Criteo, Fetchback, Google, Microsoft, 
and Yahoo!, have already deployed notice in or around ads.” Indeed, 


= See, e.g., http://www.xplusone.com/ (prominent “privacy” tab on home 
page); http://www.aggregateknowledge.com/ (prominent “Opt Out” Button on home 
page); http://www.almondnet.com/ (“privacy center” and “opt out” tabs on home 
page); http://www.audiencescience.com/ (“consumers” tab on home page); 
http://www.bluekai.com/ (“consumers” button on home page); 
http://affiniti.datalogix.com/ (“consumers” button on online targeting home page); 
http://www.exelate.com/home/index.html (“consumer privacy” tab on home page); 
http://www.lotame.com/ (“manage your privacy preferences” tab on home page); 
http://media6degrees.com/ (prominent “opt out” button in footer of every page on 
website); http ://www.mindset-media.com/ (opt out link on home page); 
http://www.permuto.com/ (opt out link on home page); http://www.tumri.com/ (opt 
out button on top of home page); http://www.turn.com/ (prominent “privacy” tab on 
home page). 


ae In anticipation of the deployment of icon-based consumer notice, the NAI and 


IAB in April 2010 released the CLEAR (Control Links for Education and Advertising 
Responsibly) Ad Notice Technical Specifications. These specifications offer a technical 
foundation for providing consumers more detailed information about the ads they 
see that are based on their interests and behaviors, using metadata that can travel 
with each ad. This approach is expected to give publishers, advertisers, and ad 
networks flexibility to adopt innovative approaches to enhanced consumer 
disclosures. See supra note 8. 


7 See http://www.criteo.com/us/retargeting/privacy- 
matters?0ecea38193df0c9bab184bf1b140820e=2f62937d2606e5eeb2cfc5014ad743 


www.fetchback.com/press 061509.html; 
http://googlepublicpolicy.blogspot.com/2009/10/coming-to-online-ad-near-you- 


more-ads.html; http://www.msn.com/; 
http://info.yahoo.com/privacy/us/yahoo/relevantads.html. 
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these NAI member companies have already served tens of billions of 
online advertisements with notice in or around the ad. 


2. Web Site Partner Notice 
Standard 


In addition to providing notice and choice on their own websites, 
NAI members must require websites with which they partner for OBA 
or Multi-Site Advertising to also post notice and provide consumers a 
means of exercising choice with regard to OBA. Specifically, section 
III.2(b) of the NAI Code obligates members to require websites with 
which they contract for OBA or Multi-Site Advertising services to 
clearly and conspicuously post notice or ensure that notice is made 
available on the website where data are collected for OBA or Multi-Site 
Advertising purposes. Such notice must contain: (1) a statement of 
fact that OBA and/or Multi-Site Advertising is occurring; (2) a 
description of the types of data that are collected for OBA or Multi-Site 
Advertising purposes; (3) an explanation of how and for what 
purposes that data will be used or transferred to third parties; and (4) 
a conspicuous link to the OBA choice mechanism provided by the 
member, and/or the opt out page on the NAI’s website. 


In the event a member is notified or otherwise becomes aware 
that a contractee is in breach of these duties, the member is required 
to make reasonable efforts to enforce the contract. (NAI Code § 
III.2(c).) Even in the absence of a contractual relationship, members 
are required to make reasonable efforts to ensure that all companies 
engaging in their OBA, Multi-Site Advertising, and/or Ad Delivery and 
Reporting furnish or require notices comparable to those described. 
(NAI Code § III.2(d).) 


Findings 


Evaluated member companies submitted provisions from their 
OBA contracts requiring advertising partners to display NAI-required 
notice and choice. Members verified that these provisions are included 
in their standard operating contracts or other standard terms with 
partner sites. Many members use sample language provided by the 
NAI, modified as necessary to reflect their business practices. Based 
on its review of these contractual provisions, NAI staff believes that 
the evaluated member companies generally included appropriate 
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provisions in their contracts, consistent with section III.2(b) of the NAI 
Code. *° 


In its 2009 Compliance Report, NAI staff found that although the 
evaluated member companies had adequate contractual provisions to 
require OBA notice and choice on partner websites, the notices 
required by these contractual provisions were not present on partner 
websites at a sufficient level of frequency.” In that report, NAI staff 
found that some evaluated members lacked robust programs for 
enforcing contractual notice requirements (or for otherwise ensuring 
that notice is present where data are collected or used for their 
behavioral advertising), and that member companies could take 
additional steps to help ensure that the websites where they engage in 
OBA provide consumers notice consistent with the NAI Code. The NAI 
accordingly committed to developing and implementing a partner 
notice implementation plan with the goal of expanding OBA notice and 
choice across the websites that partner with NAI members. 


To implement this plan, the NAI convened a working group to 
examine the barriers to achieving notice on partner sites and to 
develop tools to address those barriers. As part of this process, NAI 
staff interviewed NAI member companies about their efforts to require 
partners to post appropriate notice and the obstacles they had faced. 
Among other things, member companies reported that some web 
publishers, particularly smaller publishers, needed additional education 
about the NAI’s self-regulatory program, as well as about the 
program’s objective to provide notice and choice with respect to OBA 
practices. To address this need, the NAI developed new educational 
documents to explain to web publishers what the NAT is, its mission, 
why notice and choice are important, and what web publishers can do 
to comply with contractual notice requirements. The NAI also 
increased its training and outreach to member companies about best 
practices for enforcing contractual notice requirements. 


R In some instances, NAI staff found that evaluated member companies’ 


contractual language could more explicitly require notice and a choice mechanism for 
OBA practices. In such cases, NAI staff suggested improvements to the language, 
which member companies agreed to implement. NAI staff also advised some 
member companies to add standard notice and choice requirements to their form 
contracts even where notice and choice is not required by the NAI Code. 


31 See NAI 2009 Annual Compliance Report, supra note 11, at 24-26. 
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In 2010, NAI staff evaluated members’ plans for requiring 
partners to provide notice and choice as well as their processes for 
enforcing contractual notice provisions. NAI staff also reviewed 
members’ own findings with regard to whether the websites with which 
they partner have NAI-required notice and choice in place. NAI staff 
noted increased efforts by member companies to enforce contractual 
notice requirements since the 2009 compliance review. Some member 
companies have adopted more systematic processes for evaluating the 
notice provided by their partners and following up with those that lack 
proper notice, while other member companies have augmented their 
existing processes to enforce notice requirements, such as by checking 
more partner websites for notice or checking partner websites on a 
more regular basis. 


In addition to these efforts to achieve a greater level of notice in 
their partners’ website privacy polices, the NAI and its member 
companies have also implemented the NAI’s partner notice plan by 
increasing efforts to deliver notice and choice to consumers more 
directly through notice in and around the ads they serve.** As 
described above, the NAI and its member companies have actively 
supported the development and deployment of technical specifications 
that allow for the placement of a clickable icon for delivering notice to 
consumers in and around OBA ads. These efforts increasingly permit 
NAI member companies to deliver notice of OBA data collection and 
use and opt out mechanisms directly to consumers, regardless of 
whether they have a direct contractual relationship with the websites 
where OBA data is collected or used, and regardless of their success in 
enforcing contractual notice requirements. This “just in time” notice to 
consumers, moreover, is provided in and around the ads consumers 
view, providing a means other than through privacy policies for 


a2 The “Associations Principles” were released in July 2009 by leading 


advertising industry associations to govern the collection, use, and transfer of 
information for OBA. Section II.B of the Associations Principles requires that when 
data is collected from or used on a Web site for OBA purposes, the operator of the 
Web site include a clear, meaningful, and prominent link on the webpage where data 
is collected or used for such purposes that links to a disclosure that describes the 
OBA taking place, states the adherence to the Principles, and contains an opt out 
mechanism. This disclosure is not necessary when enhanced notice is provided by 
the third party placing the ad. Section II.A(2)(a) provides that this enhanced notice 
may be provided either in or around the ad, or on the web page where data is 
collected. See AAAA/ANA/BBB/DMA/IAB Principles, available at http://www.the- 
dma.org/government/ven-principles%2007-01-09%20FINAL. pdf. 
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consumers to understand OBA data collection practices and to find out 
how to opt out of use of their data for OBA purposes. 


The NAI’s pass-on notice efforts, increased enforcement efforts 
by NAI members, and the concurrent implementation of a cross- 
industry self-regulatory program by leading advertising and industry 
associations collectively appear to have improved the availability of 
notice and choice mechanisms on websites where data are collected 
for OBA purposes. In order to test the NAI’s progress and that of its 
membership, NAI staff conducted its own analysis of the most popular 
websites for the presence of notice and choice. NAI staff’s independent 
testing of popular websites demonstrates that the vast majority of 
websites where data appear to be collected or used for OBA provide 
notice of the collection of data by third parties for and provide a link to 
the NAI’s opt out page or to an opt-out mechanism provided by an NAI 
member company (and thus also an indirect link to the NAI). These 
disclosures appear either in privacy policies, in enhanced notice icons 
in or around ads, or in stand-alone disclosure links for consumers 
(such as “About Our Ads”). 


C. Choice 
1. Opt-Out Consent for use of Non-PII 
Standard 


As set forth above, members must provide and honor an opt out 
mechanism for the use of non-PII for OBA purposes. (Code § 
III.3(a)(i).)*? This opt out mechanism must be available both on the 
member’s website and on the NAI consumer website. (Jd. ) 


33 The NAI Code contemplates differing levels of consent for different types of 


data. Use of non-PII alone requires opt-out consent. Merger of non-PII with PII going 
forward (prospective merger) requires robust notice and an opt out mechanism. 
(Code § III.3(a)(ii).) Merger of PII with previously-collected non-PII for OBA 
purposes (retrospective merger) requires opt in consent. (Code § III.3(a)(iii).) No 
member companies collect or use PII for OBA purposes, and thus no company was 
required to obtain opt in consent or to provide robust notice for merger of PII or non- 
PII in 2010. This report accordingly addresses evaluated member companies’ 
procedures for offering and honoring opt-out requests only. 
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Findings 


As described above, consumers can opt out of collection of their 
data for OBA purposes by any or all NAI member companies on the 
NAI Web site. In addition, each member must provide an easy-to-use 
procedure for opting out of the use of data for OBA purposes on its 
own Web site. NAI staff determined that all evaluated member 
companies provide appropriate opt out mechanisms on their Web sites. 
As with notice, member companies have made these opt out 
mechanisms increasingly easy to locate and to use, such as through 
prominent “opt out” buttons on their home pages and in their privacy 
policies. As noted above, NAI members have also continued to deploy 
more granular approaches to opt out, such as through ad preference 
managers that allow consumers to edit the interests associated with 
their browsers.** As part of the review process, NAI staff also shared, 
and members adopted, best practices recommendations for increasing 
the visibility of opt out tools and enhancing user experience with those 
tools. 


In addition to ensuring that evaluated members provide an opt 
out mechanism, NAI staff sought to ensure that members also honor 
consumers’ opt out choices. To that end, NAI staff reviewed the 
technical functionality of member companies’ opt out tools, reviewing 
what effect the presence of an opt out cookie has on collection and use 
of consumer data, members’ processes for testing their opt out 
mechanisms, and whether there had been any failures in opt out 
functionality. *° 


NAI staff found that, on the whole, members have good 
processes in place for ensuring that they honor consumers’ opt-out 
choices and do not use OBA data to target ads to consumers who have 
opted out. NAI staff did find, however, that a handful of evaluated 
member companies’ opt out tools had occasionally malfunctioned, 
particularly when companies made back-end configuration changes 
(for example, new code deployments or domain changes). These 
changes can result in relatively minor disruptions to the opt-out 
process, such as the temporary inability to set opt out cookies or 
display opt out status, or can cause more serious failures such as 


ae See supra note 26. 


33 Staff also specifically reviewed whether the evaluated companies used any 


mechanisms other than http cookies, as discussed below. 
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temporary nonrecognition** or even permanent loss?” of existing opt 
out cookies. 


While these issues affected only a handful of member companies 
and had relatively small impact on users, NAI staff believes that these 
issues were partly attributable to the member companies involved not 
having fully anticipated potential risks to opt out cookie mechanisms 
during systems migrations, and insufficient testing of opt out 
functionality following those changes. While acknowledging that no 
systems are perfect, and that technical malfunctions will occasionally 
occur, NAI staff nevertheless believes that a greater emphasis on 
preserving existing opt out cookies and the ability of users to opt out 
during systems migrations would help ensure the reliability of opt out 
choices. NAI staff accordingly is recommending that all NAI member 
companies adopt policies and procedures designed to ensure the 
protection of users’ existing opt out cookies and users’ continuing 
ability to opt out following any systems changes or other changes in 
business practices that may affect opt out cookies. NAI staff will 
evaluate member companies’ implementation of such procedures 
during annual compliance reviews and in the event of any opt out tool 
malfunctions. 


NAI staff also reviewed member companies’ use of any 
technologies other than HTTP cookies for OBA or other purposes 
covered by the NAI Code. The NAI’s review included not just uses of 


80 During the compliance review period, a member company inadvertently 


introduced a coding error that caused its ad serving system to disregard some users' 
pre-existing opt out choices for a period of approximately one week. The coding error 
affected approximately 400 users. Once the issue was discovered, the company 
immediately corrected it and reported it to the NAI. Although the company had 
quality assurance procedures in place, the procedures did not prevent the coding 
error. The company has agreed to implement improved quality assurance procedures 
for its opt out systems that are designed to help ensure that similar incidents do not 
occur in the future. 

3 A member company, in the course of transitioning away from the opt-out 
cookie historically used by one of its legacy networks (also an NAI member), 
inadvertently failed to save and recognize opt out choices for that particular network. 
However, opt out choices continued to be honored if the user had opted out of both 
the member company’s network and the legacy network (such as by opting out of all 
member companies on the NAI web site). Upon learning of the incident, the company 
notified the NAI of the event, and informed users of the need to renew their opt out 
choices, both in its privacy policy and in connection with its opt out tool on the NAI 
opt out page. The company has further committed to implement policies and 
procedures to avoid similar occurrences in the future. 
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Flash or similar LSO technologies, °° but also any other new 
technologies that could be used for OBA purposes. All the evaluated 
member companies confirmed that they do not use Flash cookies for 
OBA, Ad Delivery & Reporting, or Multi-Site Advertising. However, two 
member companies reported using browser cache files for the purpose 
of storing unique identifiers to count users (but not for creating or 
storing any interest segments for OBA purposes). NAI staff determined 
that the NAI’s LSO policy did not fully address such usage of the 
browser cache. NAI staff recommended, and the NAI has now adopted, 
a broadened policy limiting the use of the Web browser cache for OBA 
or other related purposes. >’? 


In addition to ensuring that member companies properly monitor 
and test the opt out mechanisms they provide, NAI staff also regularly 
test members’ opt out mechanisms offered through the NAI opt out 
page. NAI staff performs this testing on a weekly basis, or as needed 
in response to consumer questions. The testing is done from a user’s 
perspective, replicating users’ experiences under various conditions. 
The testing always includes baseline conditions on current versions of 
several standard web browsers in both Windows and Mac. NAI staff 
also occasionally tests other conditions, such as with web browsers set 
to block third party cookies, or with or without opt out cookies already 
present. 


For the 2010 compliance review, NAI staff conducted further 
testing of the opt out tools provided by all members undergoing review 
both on the NAI opt out web page and on the members’ own sites. 
Specifically, NAI staff checked members’ opt out tools to ensure that 
an opt-out cookie with at least a five-year lifespan was set,*° and that 


Be In January 2010, the NAI adopted a policy that member companies not use 


Flash cookies and other LSOs for OBA, Ad Delivery & Reporting, and/or Multi-Site 
Advertising until such time as web browser tools provide the same level of 
transparency and control available today for standard HTML cookies. 


33 The NAI’s revised policy provides that “[/a]s with LSOs, the NAI takes the 
position that the web browser cache does not currently afford users an appropriate 
degree of transparency and control, and that such browser-based storage 
technologies should not be used by NAI members for OBA, Multi-site Advertising, or 
Ad Delivery & Reporting purposes until such time as these technologies allow for the 
same level of transparency and control as is available today for standard HTTP 
cookies.” See http://www.networkadvertising.org/managing/fagqs.asp#question 19. 


ii NAI policy requires a minimum five-year lifespan for opt-out cookies. 
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opt out status was conveyed in an understandable fashion.*: NAI staff 
further recommended that any non-essential cookies be expired. 


While NAI staff conducts extensive external testing that 
replicates users’ experience with opt out tools and the opt out cookies 
visible in their browsers, NAI staff believes that further independent 
testing could enhance confidence that users’ choices are honored. NAI 
staff accordingly recommends that the NAI evaluate the utility of 
separate, random external reviews of key components of the NAI 
Code, including the technical mechanisms supporting consumer-facing 
opt out choices. 


2. Opt-In Consent for Use of Sensitive Consumer 
Information For OBA 


Standard 


If member companies wish to use Sensitive Consumer 
Information for OBA, the NAI Code requires them to obtain consumers’ 
opt in consent for such use. (Code § III.3(a)(iv).) “Sensitive Consumer 
Information” is defined to include Social Security Numbers and other 
government-issued identifiers, insurance plan numbers, financial 
account numbers, precise real-time geographic location derived 
through GPS-enabled services, and precise information about past, 
present, or potential future health or medical conditions or treatments. 
(Code § II.8.) 


Findings 


For the evaluated members, NAI staff found that financial 
account numbers, insurance plan numbers, social security numbers or 
other government-issued identifiers, or precise real-time geographic 
location information are not being collected or used for OBA purposes. 
The compliance process demonstrated that evaluated member 
companies have a uniformly high awareness of the sensitivity of this 
data, and have protections in place to ensure that it is not collected or 
used for OBA without the consumer consent mechanisms specified by 
the Code. 


a NAI staff also looked to see whether evaluated companies continued to use 


any cookies after the opt out cookie was set. Where NAI staff observed such 
behavior, NAI staff inquired into the purpose of the cookie(s) to ensure that such 
cookie(s) were not used for OBA purposes. 
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With respect to sensitive health information, NAI staff found that 
evaluated companies have procedures in place for evaluating any 
potential collection or use of health-related information for OBA 
purposes or the creation of any health-related interest segments. 
These policies and procedures are designed to delineate non-sensitive, 
as opposed to potentially sensitive, types of consumer information 
consistent with the NAI Code. 


However, NAI staff’s review revealed that one member company 
had used certain precise health-related categories to determine ad 
selection, without obtaining opt-in consent. NAI staff informed the 
company that this practice did not comply with the NAI Code and the 
company agreed to cease the practice immediately, thereby satisfying 
the Code’s remediation requirements.** The company further agreed to 
adopt procedures designed to ensure that it will not target users on 
the basis of precise health-related information in the future. 


In light of this issue, NAI staff has concluded that a broader 
policy response should be implemented to help advance appropriate 
marketplace practices for health-related information. NAI staff believes 
that that greater transparency for health-related categories used in 
online behavioral advertising would help promote compliance with the 
Code’s sensitive consumer information requirements and would be an 
efficient means of normalizing best practices by all participants in the 
online advertising marketplace. Accordingly, NAI Staff is proposing 
that its member companies be required to disclose publicly any 
standard segments used for OBA purposes that are based on health- 
related information.* 


42 See NAI Compliance Program Consumer Complaint Process, available at 


http://networkadvertising.org/managing/NAI COMPLIANCE AND ENFORCEMENT PR 
OGRAM Consumer Complaint detail.pdf, at 2 (“If a member either fails to respond 
to staff notice of non-compliance, fails to provide an action plan to redress the defect 
within 30-business days, or fails to accomplish its action plan within 30-business 
days from the date of notice by NAI staff, the matter shall be referred to the NAI 
Board of Directors for review, with a recommendation by staff for sanctions.”). 


a Such a policy would also complement the adoption of specific implementation 


guidelines with respect to sensitive health information that reflect emerging 
regulatory guidance. 
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D. Use Limitations 
1. Children 
Standard 


The NAI Code prohibits the use of non-PII or PII to create OBA 
segments specifically targeted at children under 13 without verifiable 
parental consent. (NAI Code § III.4(a).) 


Findings 


None of the evaluated members were found to create segments 
specifically targeting children under thirteen, and NAI staff's review 
revealed no compliance deficiency with respect to this provision of the 
Code. The member companies have processes and procedures in place 
to ensure that segments specifically targeted at children under thirteen 
are not created or used. 


2. Marketing Purposes 
Standard 


Under the NAI Code, members directly engaged in OBA are 
prohibited from using, or allowing the use of, OBA segments other 
than for marketing purposes. (NAI Code § III.4(b).) “Marketing 
Purposes” is defined as “any activity undertaken to collect, aggregate, 
analyze, maintain, update, or sell information in order to tailor content 
or services that allows or induces consumers to take action to 
purchase, rent, or exchange products, property or services, to solicit a 
charitable donation, to utilize market research or market surveys, or to 
provide verification services to marketers.” (NAI Code § II.9.) 


Findings 


None of the evaluated members were found to use, or allow the 
use of, OBA segments for any purposes other than marketing as 
defined by the NAI Code. Member companies report having contractual 
provisions and other processes in place to limit the use of their data 
other than for marketing purposes. NAI staff’s review revealed no 
compliance deficiency with respect to this provision of the Code. 
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3. Collection of PII in Absence of Contract 
Standard 


The NAI Code forbids the collection of PII for OBA purposes in 
the absence of a contractual relationship with the company. (NAI Code 
§ III.4(c).) 


Findings 


None of the evaluated members were found to collect PII for 
OBA purposes from third parties, and NAI staff’s review revealed no 
compliance deficiency with respect to this provision of the Code. 


4. Changes of Privacy Policy With Regard to PII 
Standard 


The NAI Code provides that if a member changes its own privacy 
policy with regard to PII and merger with non-PII for OBA purposes, 
prior notice must be posted on the member’s Web site, and any 
material change shall only apply to changes collected following the 
change in policy. (NAI Code § III.4(d).) Further, if data is collected 
under a privacy policy that states that data would never be merged 
with PII, such data may not be later merged with PII in the absence of 
an opt in consent from the consumer. (NAI Code § III.4(e).) 


Findings 


None of the evaluated members were found to have changed 
their privacy policies to allow the merger of PII with non-PII, and NAI 
staff’s review revealed no compliance deficiency with respect to this 
provision of the Code. 


E. Transfer & Service Restrictions 
1. Sharing of PII 
Standard 


NAI members must contractually require any third parties to 
which they provide PII for OBA or Multi-Site Advertising to adhere to 
applicable provisions of the NAI Code. (NAI Code § III.5(a).) 
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Findings 


None of the evaluated members were found to share PII for OBA 
or Multi-Site Advertising purposes with third parties, and NAI staff’s 
review revealed no compliance deficiency with respect to this provision 
of the Code. 


2. Sharing of Non-Aggregate Non-PII 
Standard 


When members provide non-aggregate non-PII to third parties 
to be merged with PII possessed by the third parties for OBA or Multi- 
Site Advertising services, they must contractually require the third 
parties to adhere to applicable provisions of the Code. (NAI Code § 
III.5(b).) 


Findings 


None of the evaluated members were found to be sharing non- 
aggregate non-PII with the intent of the data being merged with PII 
possessed by third parties. Those members that do share non- 
aggregate, non-PII OBA data with other companies include provisions 
in their contracts governing such sharing to ensure that non-aggregate 
non-PII is protected appropriately and is not merged with PII. NAI 
staff’s review of those contractual provisions and members’ internal 
policies with regard to any such sharing revealed no compliance 
deficiency with respect to the requirement that members take 
appropriate measures to ensure that the non-aggregate non-PII that 
they share with third parties is protected in accordance with the NAI 
Code. 


F. Access 
Standard 


Members are required to provide consumers with reasonable 
access to PII, and other information associated with that PII, retained 
by the member for OBA or Multi-Site Advertising purposes. (NAI Code 
§ III.6(a).) 


Findings 


None of the evaluated members were found to be using PII for 
OBA or Multi-Site Advertising purposes. Accordingly, the requirement 
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of access to PII and associated non-PII data under section III.6(a) was 
not implicated. ** 


G. Reliable Sources 
Standard 


Members are required to make reasonable efforts to ensure that 
they are obtaining data for OBA, Multi-Site Advertising, and/or Ad 
Delivery and Reporting from reliable sources. (NAI Code § III.7(a).) 


Findings 


Upon review of members’ responses to the NAI questionnaire 
and supporting materials, NAI staff found no compliance deficiency 
with respect to the requirement that members make reasonable efforts 
to ensure that the data they obtain for OBA, Multi-Site Advertising, 
and/or Ad Delivery and Reporting come from reliable sources. Most 
members report obtaining such data from NAI members that are 
bound by the NAI Code, or from companies that are applying to 
become NAI members and are bringing their practices into alignment 
with the NAI Code. Some members reported obtaining data to be used 
for OBA purposes from entities that are not NAI members. In those 
instances, the relevant members report having processes in place to 
ensure that the companies from which they obtain data have 
appropriate protections to ensure reliability. Members that obtain OBA 
data from third parties report conducting due diligence on those 
sources - including the sources’ privacy practices and whether the 
data was obtained with appropriate disclosure and consents - in order 
to help verify that it is complete, accurate, and obtained with any 
required consents. 


a Some member companies provide users access to the non-PII interest 


categories associated with their browsers. Current NAI member companies providing 
such access include Blue Kai, Exelate, Google, Lotame, and Yahoo!. See 
http://tags.bluekai.com/registry; http://www.exelate.com/home/consumer- 
preference-manager-opt-out.html; http://www.qgoogle.com/ads/preferences/; 
http://www.lotame.com/privacy-center/preferences/; 
http://info.yahoo.com/privacy/us/yahoo/opt_out/targeting/details.html. 
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H. Security 
Standard 


Members that collect, transfer, or store data used in OBA, Multi- 
Site Advertising, and/or Ad Delivery and Reporting are required to 
provide reasonable security for that data. (NAI Code § III.8(a).) 


Findings 


NAI staff’s review revealed no compliance deficiencies with 
respect to members’ obligation to provide reasonable security for data 
used for OBA, Multi-Site Advertising, and/or Ad Delivery and 
Reporting. NAI staff reviewed member companies’ descriptions of their 
security policies and protections, in order to establish that the member 
companies had conducted an appropriate evaluation of the 
technological, administrative, and physical protections for data subject 
to the NAI Code.*° 


I. Data Retention 
Standard 


Members engaged in OBA, Multi-Site Advertising, and/or Ad 
Delivery and Reporting are required to retain data collected only as 
long as necessary to fulfill a legitimate business need, or as required 
by law. (NAI Code § III.9(a).) 


Findings 


NAI staff’s evaluation of the periods for which members report 
retaining data for NAI-related purposes found that member companies 
articulated legitimate business needs for their retention practices. As 
in 2009, where companies reported longer-than-average retention 
periods, NAI staff asked members about the reasons for such retention 
and reminded members of the need to keep pace with evolving best 
practices, including minimizing the data retained. 


a The NAI’s review process under the Code did not function as a formal audit of 


data security, although any such audits undertaken by member companies were 
considered as part of the review process. 
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J. Applicable Law 
Standard 


Members are required to adhere to all applicable laws. Where the 
requirements of applicable law exceed or are in conflict with the Code, 
members must abide by applicable law. Where the requirements of the 
Code exceed those of applicable law, members must conform to the 
higher standards of the Code (insofar as compliance with the Code is 
not contrary to applicable law). (NAI Code § III.10.) 


Findings 


NAI staff's review revealed no evidence of violations of the 
“applicable law” provision of the NAI Code. 


K. Consumer Communications 
Standard 


NAI members are required to maintain a centralized mechanism 
linked to the NAI website to receive consumer questions or complaints 
relating to members’ compliance with the Code. (NAI Code § IV.2(a).) 
NAI members also are required to respond to and make reasonable 
efforts to resolve questions implicating their compliance with the NAI 
Code within a reasonable period of time. (NAI Code § IV.2(b).) 


Findings 


The NAI website contains a form, phone numbers, postal 
addresses, and email addresses, all of which permit consumers to 
submit questions or complaints relating to members’ compliance with 
the Code as required by NAI Code § IV.2(a). As detailed in section IV, 
the NAI fields thousands of consumer inquiries through these 
mechanisms. 


As in 2009, NAI staff tested members’ compliance with section 
IV.2(b) of the NAI Code by reviewing members’ sites to ensure that 
they provide a mechanism for consumers to submit questions or 
concerns regarding NAI issues. NAI staff then independently tested 
member companies’ responses to consumer questions regarding their 
opt out procedures. Most of the evaluated member companies 
responded promptly and with informative responses. 


In some instances, however, NAI staff found that evaluated 
members’ responses to these inquiries were insufficiently responsive 


29 


2010 NAI Annual Compliance Report 


or were not sufficiently prompt. NAI staff reminded such members of 
the need to have a functioning contact mechanism on their websites, 
and to respond to any questions or concerns related to NAI compliance 
in a timely manner. After being notified of these issues, all affected 
members reported having updated their mechanisms for responding to 
consumer questions to ensure that consumer questions with respect to 
OBA practices and compliance with the NAI Code are timely and 
accurately addressed. NAI staff re-tested affected members’ consumer 
communications mechanisms, and received a timely response from 
each providing information about OBA practices. 


IV. Customer Communications 


The NAI receives queries and complaints from consumers 
through multiple mechanisms: these include a form on the NAI web 
site, email, postal mail, and telephonic inquiry. The NAI is required to 
“produce an annual summary of the nature and number of consumer 
complaints received, the nature and number of complaints that were 
escalated to membership and the nature and number of matters 
referred to the Board, specifying the name of companies, if any, that 
were sanctioned for failure to remedy compliance defects.”*° 


In its 2009 Compliance Report, the NAI stated that it would 
“continue to work to adopt enhancements to the messaging and 
functionality of the NAI Web site” and that it would “improve its 
procedures for logging and tracking consumer complaints and to track 
the performance of its members throughout the year.” In 2010, NAI 
staff adopted improved procedures for tracking and reviewing 
consumer queries, with an emphasis on identifying technical issues 
with the opt out page as quickly as possible.“ To that end, NAI staff 
continuously monitored all consumer communications to identify 
possible technical issues with member companies’ opt outs or the NAI 
opt out page, and to take in credible claims of compliance deficiencies 
on the part of NAI members. 


si See NAI Compliance Program Complaint Process, supra note 42, at 2. 


47 These improved tracking methods will be further supplemented by the launch 
of the improved opt out tool on the NAI website in 2011. As noted above, see supra 
at 11, that tool will include enhanced help and error handling features. Logging 
facilities built into the page will give the NAI new tools to respond quickly to any opt 
out issues and to improve the functionality of members’ opt out tools. 
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In total, NAI staff fielded 5,832 consumer communications in 
2010. Of these, almost 50% either had no discernible topic, or 
pertained to issues not within the scope of the NAI's mission, such as 
requests to opt out of email communications or to remove PII from 
web sites. Of those that were within scope of the NAI's mission, the 
remaining communications pertained to use of the NAI opt out web 
page. These communications served to supplement the NAI's own 
testing of members’ opt out tools, and were occasionally helpful in 
identifying and solving issues with particular members’ opt outs. In 
such cases, NAI staff worked informally with the member company to 
correct the issue. 


No consumer communications presented complaints of 
noncompliance with the NAI Code that required escalation to individual 
member companies or to the NAI Board. NAI staff believes that it has 
resolved all matters raised in consumer communications it received in 
2010 that are related to the NAI and are conducive to resolution. 


V. CONCLUSION 


As in 2009, the NAI’s 2010 compliance review process continued 
to provide comprehensive insight into the behavioral advertising 
practices, policies, and procedures of its member companies. 
Throughout the process, the evaluated companies cooperated with NAI 
staff and provided extensive information and documentation 
concerning their marketing practices. The review found that the vast 
majority of evaluated companies met their compliance obligations with 
respect to all of the substantive requirements of the NAI Code. With 
respect to the issues identified in 2010, NAI staff is recommending 
specific policies designed to establish practice requirements that would 
improve NAI’s member compliance and improve marketplace practices 
generally. These policies, together with NAI members companies’ 
continuing commitment to the NAI Code and compliance process, will 
continue to advance the NAI’s mission of providing transparency of 
behavioral advertising practices and honoring users’ behavioral 
advertising choices. 
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